14 DAY TRIAL // Security researcher Barnaby Jack gave his long overdue presentation on ATM exploits in front of an audience at the Black Hat security conference in Las Vegas. The hacker managed to force two different ATM models to dispense cash using both remote and local attacks.
Automated Teller Machines (ATMs) are pretty much ubiquitous these days and most people are used to trusting them. Unfortunately, the sad reality is that these machines are far from safe and the rate of ATM crime is on a steep climb.
Attacks like ATM skimming have been around for a long time and several variants of ATM malware have also appeared in the past two years. However, Barnaby Jack's research, which involve remotely exploitable vulnerabilities, takes ATM security risks to a whole new level.
The first attack demoed by the IOActive researcher targeted a vulnerability in the software used to administer an ATM model from Tranax Technologies remotely, over the phone. Successful exploitation allowed Jack to install a custom-made rootkit he named Scrooge, which had the capability to record admin passwords, PIN numbers, and force the machine to spit out cash.
Another John Connor-like cash dispensing trick [Terminator 2 scene reference], dubbed "jackpotting", was performed on an ATM model from Triton Systems. To access this machine, the security researcher used a standard key bought from the Internet. He then installed the same rootkit by hooking up an USB device to it.
"It's time to give these devices an overhaul. There hasn't been a secure development methodology from the get go. The simple fact is companies who manufacture the devices aren't Microsoft. They haven't had 10 years of continued attacks against them," Barnaby Jack told his audience.
According to The Register, both ATM manufacturers were notified in advanced of the vulnerabilities and have deployed protective measures. However, the researcher thinks similar security holes likely exist in other models from other vendors as well.
You can follow the editor on Twitter @lconstantin